Firewall Wizards mailing list archives

Re: Link level security with static arp tables

From: "Martin A. Brown" <mabrown-firewall-wizards () securepipe com>
Date: Mon, 13 Oct 2003 17:21:07 -0500 (CDT)


Dear Debian User,

You didn't specify Linux in your post, but judging from your question and
your handle, I feel safe in assuming that your question is about Linux.
The tools I describe below are only available under kernel 2.2.20+ and
2.4.18+ systems.

 : I could disable arp on eht0 and use static arp tables in the gw, but
 : that would mean that the gateway won't answer any arp queries, hence
 : the clients will not be able to find it's MAC. Setting up static arp
 : tables in clients is not an option.

Have you heard of "ip arp"?

  http://www.ssi.bg/~ja/#iparp
  http://www.ssi.bg/~ja/iparp.txt

Julian's kernel and iproute2 patch provide support for ARP filtering.

 : I could use netfilter MAC matching support in the kernel, but that
 : would mean I have to add 50 rules to the ruleset adding considerable
 : overhead. Moreover, it is a link level problem that sould be solved in
 : the same level, so netfilter is not an attractive option. Please
 : comment if I'm wrong.

I don't see how 50 netfilter rules would cause much overhead.  You could
create a file with your 50 desired MAC addresses (harvested with a bit of
"arp -n") and write a generic script which calls all of the commands to
allow only these MAC addresses.

Even so, the clever user can alter the MAC address on many/most ethernet
cards today:

  http://linux-ip.net/html/tools-ip-link.html#tools-ip-link-set-address

I imagine that this is possible on other operating systems as well.
Naturally, your users may not be so sophisticated.  Nonetheless, you
should be able to limit traffic to the expected set of hosts only by
combining a strong switch configuration and MAC address limiting on your
gateway.

Best of luck,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown () securepipe com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Link level security with static arp tables Debian User (Oct 13)
- Re: Link level security with static arp tables Luke Butcher (Oct 14)
  - Re: Link level security with static arp tables Magosányi Árpád (Oct 15)
    - Re: Link level security with static arp tables Paul Robertson (Oct 15)
    - RE: Link level security with static arp tables Ben Nagy (Oct 15)
    - RE: Link level security with static arp tables R. DuFresne (Oct 15)
    - Re: Link level security with static arp tables Bennett Todd (Oct 15)
- Re: Link level security with static arp tables Martin A. Brown (Oct 14)
- RE: Link level security with static arp tables Ben Nagy (Oct 14)
- <Possible follow-ups>
- RE: Link level security with static arp tables Sloane, David (Oct 14)